Manage Privacy: Internet Explorer 10 and Resulting Internet Communication
Applies To: Windows Server 2012, Windows 8
In this section
This section provides overview information about using Internet Explorer 10 and suggestions for sources of information about how to balance user requirements for Internet access with your organization's requirements to protect networked assets. It includes the following subsections:
Benefits and purposes Explains the benefits of Internet Explorer 10.
Enhanced Security Configuration Describes Internet Explorer Enhanced Security Configuration.
Security-related features Provides examples of the security-related features that are offered in Internet Explorer 10, including SmartScreen Filter.
Resources for learning about security in Internet Explorer 10 Lists resources for learning about topics that are related to security in Internet Explorer 10. This includes resources to help you learn about:
Security and privacy settings
Mitigating the risks inherent in web-based applications and scripts
Methods for controlling the configuration of Internet Explorer 10 in your organization by using Group Policy settings, the Internet Explorer Administration Kit (IEAK), or both
Procedures for controlling Internet Explorer Details procedures to perform specific actions related to Internet Explorer 10. These actions include:
Choosing a web browser during unattended installation or by using the Default Programs interface.
Turning Internet Explorer Enhanced Security Configuration off or on.
Setting the security level to High for specific websites.
The following information is not included in this document:
This section of this document describes Internet Explorer 10, but it does not describe related features such as Content Advisor or the wizard for making a connection to the Internet.
It does not describe error reporting for Internet Explorer. For information about this feature, see Windows Error Reporting and the Problem Reports and Solutions Feature in Windows 8 and Windows Server 2012.
It is beyond the scope of this document to describe all the aspects of maintaining appropriate levels of security in an organization where users perform such actions as connecting to websites, running software from the Internet, or downloading content from the Internet.
For more information about Internet Explorer 10, see the following resources:
Help for Internet Explorer. (Open Internet Explorer, and press F1.)
Internet Explorer 10 home page on Microsoft TechNet
Benefits and purposes
Internet Explorer 10 is designed to make it easy to browse and interact with sites on an intranet or on the Internet. It differs from many of the other features that are described in this document because its main function is to communicate with sites on the Internet or an intranet (which contrasts with features that communicate with the Internet in the process of supporting another activity).
Internet Explorer 10 is designed to be highly configurable, and it has security and privacy settings to help protect your organization's networked assets while providing access to useful information and tools. Internet Explorer Enhanced Security Configuration, which is enabled by default when you install Windows Server 2012, helps make your server more secure by limiting exposure to malicious websites.
Note
Using Internet Explorer 10 allows enterprises to continue using existing line-of-business applications. It also provides a new browsing experience for a corporate workforce that is using Windows touch devices. In addition, there are more than 1,500 Group Policy settings that IT professionals can use to provide management and configuration support in Internet Explorer 10.
Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration is turned on by default when you install Windows Server 2012. This configuration assigns specific levels of security settings to four zones that are defined in Internet Explorer 10: the Internet zone, the Local intranet zone, the Trusted sites zone, and the Restricted sites zone. For example, it assigns High security settings to the Internet zone and the Restricted sites zone.
The configuration also contains a variety of other settings. These include specific settings such as whether the Temporary Internet Files folder is emptied when the browser is closed, and settings that determine which zone standard websites are added to (for example, the Windows Update website is added to the Trusted sites zone).
For more information about Internet Explorer Enhanced Security Configuration, on a server that is running Windows Server 2012, open Internet Explorer, and then click one of the following links:
If Internet Explorer Enhanced Security Configuration is turned on, click Effects of Internet Explorer Enhanced Security Configuration.
If Internet Explorer Enhanced Security Configuration is turned off, click Internet Explorer Enhanced Security Configuration.
Security-related features
Security-related features in Internet Explorer 10 include:
SmartScreen Filter Blocks the download of malicious software and providing enhanced antimalware support. Administrators can use Group Policy to configure the behavior of the SmartScreen Filter, for example, to prevent users from overriding the warning shown when a reported unsafe site or download is detected. The SmartScreen Filter is described in Manage Privacy: SmartScreen Filter and Resulting Internet Communication later in this document.
ActiveX Filtering Provides control over how web pages run on your computers. With ActiveX Filtering, you can turn off ActiveX controls for all websites, and then turn them on selectively. Although ActiveX controls can enable useful web experiences for videos and more, some organizations may want to limit how they run for security and performance.
Delete Browsing History Enables users and organizations to delete browsing history for all websites. Administrators can configure the Delete Browsing History options through Group Policy or the Internet Explorer Administration Kit. Administrators can also configure which sites are automatically included in the Favorites list. This enables them to create policies that help ensure security by aggressively clearing Internet files, without affecting day-to-day interactions with users’ preferred and favorite websites. The Delete Browser History on Exit check box (on the General tab of the Internet Options dialog box) allows users and administrators to automatically delete the browsing history on exit.
InPrivate Browsing Deletes the user’s browsing history data that is accumulated on the computer when the Internet Explorer browsing windows for that session are closed. A network administrator can use Group Policy to control how InPrivate Browsing is used in their enterprise.
Tracking Protection Lists Help users stay in control of their privacy as they browse the web. Much of the content, images, ads, and analytics that users see are provided by websites outside your organization. Although this content can provide value to your organization, these websites have the ability to potentially track users’ behaviors across multiple sites.
Tracking Protection Lists contain domains that Internet Explorer will block in addition to domains that Internet Explorer will not block. Tracking Protection stays on until you decide to turn it off. To use this functionality, you simply have to add a Tracking Protection List from one of the Tracking Protection List providers.
Enhanced Protected Mode Extends Protected Mode, which was introduced in Internet Explorer 7 for Windows Vista. Protected Mode helped prevent attackers from installing software or modifying system settings by reducing some of the capabilities that are available to Internet Explorer. Enhanced Protected Mode extends this concept by further restricting capabilities for accessing personal information and for accessing information on corporate intranets as follows:
Protects personal information Restricts Internet Explorer from locations that contain personal information until you grant permissions to it. This helps prevent unauthorized access to personal information.
Protects corporate assets Restricts access to valuable information on corporate network resources by controlling access through Internet tab processes as follows:
Internet tab processes do not have access to a user's domain credentials.
Internet tab processes cannot operate as local web servers.
Internet tab processes cannot make connections to intranet servers.
Warning
Internet Explorer always runs with Enhanced Protected Mode enabled. Because Internet Explorer offers free browsing, the compatibility impact of this security feature is minimal. However, some add-ons, such as Adobe Flash and certain toolbars are not yet compatible with Enhanced Protected Mode. To enable Enhanced Protected Mode in the classic user interface, click Tools, click Internet Options, click the Advanced tab, and then click Enable Enhanced Protection Mode*.
Secure Sockets Layer (SSL) Provides a security report icon to the right of the address bar when you view a page that uses a Hypertext Transfer Protocol Secure (HTTPS) connection. This makes it easier to see whether web transactions are secured by SSL or Transport Layer Security (TLS). Clicking the icon displays a report that describes the certificate that is used to encrypt the connection and the certification authority (CA) that issued the certificate. The security report also provides links to more detailed information.
Internet Explorer 10 also supports high assurance certificates, which provide further confidence to users that they are communicating with a verified organization. This verification is granted by existing CAs and shows up in the browser as a clear green fill in the address bar.
Microsoft ActiveX Opt-In Enables users to selectively allow or prevent running the ActiveX control. Internet Explorer 10 disables all ActiveX controls that were not used in Internet Explorer 6 and all ActiveX controls that are not flagged for use on the Internet. When users encounter an ActiveX control for the first time, they are prompted to choose if they want to use the control. By default, the ActiveX opt-in does not apply to Intranet and Trusted Site zones. Controls for those zones, including preapproved controls, run without prompting.
The following list names some of the security-related features in Internet Explorer 10 that are continued from earlier versions of Internet Explorer.
**Privacy tab ** This tab (click Tools, and then click Internet options) provides flexibility for blocking or allowing cookies, based on the website that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy. This tab also includes options to control website requests for physical location data, the ability to block pop-ups, and the ability to run toolbars and extensions when InPrivate browsing is enabled.
Security settings that define security zones For each zone, users can control how Internet Explorer 10 handles higher-risk items such as ActiveX controls, downloads, and scripts.
Support for content-restricted inline floating frames (IFrames) This type of support enables developers to implement IFrames in a way that makes it more difficult for malicious authors to start email-based or content-based attacks.
A configurable pop-up blocker This helps you control pop-ups.
An improved interface for managing add-ons Add-ons are programs that extend the capabilities of the browser.
For more information, see the Internet Explorer 10 home page on Microsoft TechNet.
Resources for learning about security in Internet Explorer 10
This subsection lists resources to help you learn about the following topics that are related to security in Internet Explorer 10:
Learn about mitigating the risks inherent in web-based applications and scripts
Learn about Group Policy Objects that control configuration settings
In addition, for information about unattended installation, see the resources listed in Appendix A: Resources for Learning About Automated Installation and Deployment later in this document.
Learn about security and privacy settings
Following are sources of detailed information about the security and privacy settings in Internet Explorer 10:
In addition, the privacy statement for Internet Explorer 10 includes information about some of the features in Internet Explorer 10: Windows Internet Explorer 10 Privacy Statement.
Learn about mitigating the risks inherent in web-based applications and scripts
In network-based and Internet-based environments, code can take a variety of forms including scripts within documents, scripts within email messages, or applications or other code objects that are running within web pages. This code can move across the Internet, and it is sometimes referred to as "mobile code." Configuration settings provide ways for you to control how Internet Explorer 10 responds when a user tries to run mobile code.
The following examples explain how you can customize the Internet Explorer configuration that is deployed in your organization.
You can control the code (in ActiveX controls or in scripts, for instance) that users can run. Do this by customizing Authenticode settings. For example, this can prevent users from running any unsigned code, or enable them to only run code that is signed by specific authors. For more information, see Code-Signing Best Practices.
If you want to permit the use of ActiveX controls, but you do not want users to download code directly from the Internet, you can specify that when Internet Explorer 10 looks for a requested executable, it looks on your internal website instead of the Internet. You can do this by changing a registry key.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter issues after manual changes are applied.
The registry key that you will change specifies an Internet search path for Internet-based code, as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CodeBaseSearchPath
This registry key usually contains the keyword CodeBase. When CodeBase is present, calls to CoGetClassObjectFromURL check the szCodeURL location to download components. After CodeBase, the CodeBaseSearchPath registry key usually lists additional URLs in the Internet search path, with each URL enclosed in angle brackets and separated by a semicolon.
If you remove CodeBase from the registry key, and instead specify a site on your intranet, software will check that site, not an Internet site, for downloadable components. The URL that is specified in CodeBaseSearchPath will receive an HTTP POST request with data in the following format, and respond with the object to install and load.
CLSID={class id} Version=a,b,c,d MIMETYPE=mimetypeFor more information, search for all instances of CodeBaseSearchPath in the following MSDN topic: Implementing Internet Component Download.
Learn about Group Policy Objects that control configuration settings
You can control configuration settings for Internet Explorer 10 by using Group Policy Objects (GPOs). Internet Explorer 10 provides nearly 1,500 Group Policy settings that IT pros can use to manage and control the web browser configuration. For more information, see Group Policy Settings in Internet Explorer 10.
You can also control the configuration of Internet Explorer by using the Internet Explorer Administration Kit. For more information, see Learn about the Internet Explorer Administration Kit later in this section.
To learn about specific Group Policy settings that can be applied to computers running Windows 8 and Windows Server 2012, see the following sources of information:
Learn about the Internet Explorer Administration Kit
You can use the Internet Explorer Administration Kit (IEAK) to create a customized Internet Explorer package for use in your organization. You can then deploy your customized package by using standard means such as network shared folders, intranet sites, or through a system management solution, such as Microsoft System Center Configuration Manager. (You can also control the configuration of Internet Explorer by using Group Policy.)
A few of the features and resources in the IEAK include:
Internet Explorer Customization Wizard. Step-by-step screens guide you through the process of creating customized browser packages that can be installed on client computers.
IEAK Help. The IEAK Help includes many conceptual and procedural topics that you can view by using the Contents and Search tabs. You can also print topics from IEAK Help.
For more information about the IEAK, see Internet Explorer Administration Kit (IEAK) Information and Downloads.
Procedures for controlling Internet Explorer
This subsection provides procedures to carry out the following tasks:
Control the browsers that are available
Turn Internet Explorer Enhanced Security Configuration on or off
Set the security level to High for specific websites
Procedures for controlling web browsers
Methods for controlling the browsers that are available include:
Unattended installation by using an answer file
The Default Programs interface
To specify a browser during unattended installation by using an answer file
Use the methods that you prefer for unattended installation or remote installation to create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment later in this document.
Confirm that your answer file includes the following lines. If you already have a <ClientApplications> section in your answer file, the "Internet" line (the line containing information about your browser) should be included in the <ClientApplications> section rather than repeating the section.
<ClientApplications>
<Internet>browser_canonical_name</Internet>
</ClientApplications>
For browser_canonical_name, specify the canonical name that is coded into your web browser.
To remove visible entry points to Internet Explorer during unattended installation by using an answer file
Use the methods that you prefer for unattended installation or remote installation to create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment later in this document.
Confirm that your answer file includes the following lines. If you already have a <WindowsFeatures> section in your answer file, the "ShowInternetExplorer" line should be included in the <WindowsFeatures> section rather than repeating the section.
<WindowsFeatures>
<ShowInternetExplorer>false</ShowInternetExplorer>
</WindowsFeatures>
Note
This procedure removes visible entry points to Internet Explorer, but it does not prevent Internet Explorer from running.
To specify a browser through the default programs interface
In Control Panel, click Default Programs, and then click Set your default programs.
Under Programs, click the browser that you want to select as the default.
Note
If the web browser that you want to use does not appear by name, contact the vendor of that program for information about how to configure it as the default.
To use the selected program as the default for opening all file types and protocols, click Set this program as default.
As an alternative, you can click Choose defaults for this program, and then specify which file types and protocols the selected program should open by default.
Procedure to turn Internet Explorer Enhanced Security Configuration on or off
Before you begin this procedure, confirm that no instances of Internet Explorer are running; otherwise, you will have to close and reopen all instances of Internet Explorer after you complete this procedure.
To turn Internet Explorer Enhanced Security Configuration on or off
Open Server Manager and click Configure this local server to open the Local Server configuration page.
In the Properties area, next to IE Enhanced Security Configuration, click On to open the Internet Explorer Enhanced Security Configuration dialog box.
To allow or prevent members of the Local administrators security group to use Internet Explorer in its default client configuration, under Administrators, click On or Off.
To allow or prevent members of all other groups to use Internet Explorer in its default client configuration, under Users, click On or Off.
Procedures for setting the security level to High for specific websites
The procedures that follow provide information about how to set the security level for a particular website to High, which prevents actions such as running scripts and downloading files from the site.
For information about planning a configuration for your organization to control whether Internet Explorer allows downloads or if it allows plug-ins, ActiveX controls, or scripts to run, see Security-related features and Learn about security and privacy settings earlier in this section.
To configure a specific computer with a security level of High for specific sites
On the computer that you want to configure, open Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
Click Restricted sites, and under Security level for this zone, make sure that the slider for the security level is set to High.
Note
If the Internet Explorer Enhanced Security Configuration is turned on, the slider will be set to High, and it cannot be adjusted.
If the Internet Explorer Enhanced Security Configuration is turned off, the slider can be adjusted, and the security level can be set to a Custom level. If it is set to a Custom level, click Default Level, and then make sure that the slider for the security level is set to High.
With Restricted sites still selected, click Sites.
In Add this website to the zone, type the website address that you want to add to the list of restricted sites. You can use an asterisk as a wildcard character. For example, for websites at Example.Example.com and www.Example.com, you could type:
https://*.Example.com
Click Add.
To use IEAK to set the security level to High for specific sites
In Internet Explorer Administration Kit, navigate to the Security and Privacy Settings page of the customization wizard.
In the Security Zones and Privacy section, select Import the current security zones and privacy settings. Click Modify Settings.
In the details pane, double-click Security Zones and Content Ratings.
Under Security Zones, click Import the current security zones and privacy settings, and then click Modify Settings.
Select Restricted sites.
Under Security level for this zone, make sure that the slider for the security level is set to High.
With Restricted sites still selected, click Sites.
In Add this website to the zone, type a website address that you want to restrict. You can use an asterisk as a wildcard character. For example, for websites at Example.Example.com and www.Example.com, you could type:
https://*.Example.com
Click Add.